A stealthy new form of malware is targeting Linux systems in attacks that can take full control of infected devices – and it is using this access to install crypto-mining malware.
Dubbed Shikitega, the malware targets endpoints and Internet of Things devices that run on Linux operating systems and has been detailed by cybersecurity researchers at AT&T Alien Labs.
Shikitega Malware
- The malware downloads and executes the Metasploit’s “Mettle” meterpreter to maximise its management on contaminated machines.
- Shikitega exploits system vulnerabilities to realize excessive privileges, persist and execute crypto miner.
- The malware makes use of a polymorphic encoder to make it harder to detect by anti-virus engines.
- Shikitega abuse respectable cloud companies to retailer a few of its command and management servers (C&C).
The findings add to a escalating record of Linux malware that has been located in the wild in new months, which include BPFDoor, Symbiote, Syslogk, OrBit, and Lightning Framework.
The correct approach by which the first compromise is achieved continues to be unknown as still, but what tends to make Shikitega evasive is its means to download upcoming-phase payloads from a command-and-manage (C2) server and execute them specifically in memory.
The next downloaded and executed file is an additional small ELF file (around 1kb) encoded with the “Shikata Ga Nai” encoder. The malware decrypts a shell command that will be executed by calling syscall_execve with ‘/bin/sh” as a parameter with the decrypted shell.
The malware will leverage the exploit to download and execute the final stage with root privileges – persistence and cryptominer payload.
Recommended actions
- Keep software up to date with security updates.
- Install Antivirus and/or EDR in all endpoints.
- Use a backup system to backup server files
IOCS
dash[.]cloudflare.ovh
main[.]cloudfronts.net
0233dcf6417ab33b48e7b54878893800d268b9b6e5ca6ad852693174226e3bed
f7f105c0c669771daa6b469de9f99596647759d9dd16d0620be90005992128eb
Leave A Comment